CVE Alert: CVE-2025-40778 – ISC – BIND 9

CVE-2025-40778

HIGHNo exploitation known

Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.

CVSS v3.1 (8.6)
AV NETWORK · AC LOW · PR NONE · UI NONE · S CHANGED
Vendor
ISC
Product
BIND 9
Versions
9.11.0 lte 9.16.50 | 9.18.0 lte 9.18.39 | 9.20.0 lte 9.20.13 | 9.21.0 lte 9.21.12 | 9.11.3-S1 lte 9.16.50-S1 | 9.18.11-S1 lte 9.18.39-S1 | 9.20.9-S1 lte 9.20.13-S1
CWE
CWE-349, CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Published
2025-10-22T15:47:13.243Z
Updated
2025-10-22T17:32:02.211Z

AI Summary Analysis

Risk verdict

High risk to network-facing DNS caching services; patch promptly given the network-based attack surface and high integrity impact.

Why this matters

Forged cache data can misdirect subsequent queries, undermining trust in DNS resolution and potentially redirecting users or services to malicious hosts. The impact can cascade to multiple clients and critical infrastructure, causing service degradation or outages and complicating incident response.

Most likely attack path

An attacker on a network can attempt to insert forged responses into a caching resolver due to lenient record acceptance, without requiring privileges or user interaction. The requirement for a network path and timing to outrun legitimate replies makes pre-emptive poisoning feasible in poorly protected deployments; the scope could extend beyond a single cache if a resolver propagates poisoned data. Note: there are currently no known active exploits or PoC.

Who is most exposed

Publicly accessible DNS recursive resolvers and internal caches within organisations relying on BIND 9 are most at risk, especially where resolvers face untrusted networks or have weak validation controls.

Detection ideas

  • spikes in forged or mismatched DNS responses for common queries
  • sudden, inconsistent IP mappings in cached records
  • anomalous TTL or EDNS-related anomalies in resolver logs
  • unusual source IPs or response IDs correlating with legitimate queries
  • failed/aborted resolution events following specific query types

Mitigation and prioritisation

  • Upgrade to patched releases: 9.18.41, 9.20.15, 9.21.14 (or corresponding S1 variants)
  • Enable DNSSEC validation and DNS cookies to reduce cache poisoning feasibility
  • Implement Response Rate Limiting (RRL) and restrict recursion to trusted clients
  • Monitor resolver logs for forged-response patterns; correlate with query spikes
  • Schedule patching in a controlled change window; test in staging first; verify DNS cache integrity post-upgrade

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features